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Preface 


This user guide is intended for application developers who will use the Qualys Certificate 
View API. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com. 


Contact Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/. 
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Chapter 1 - Get Started 


Qualys API Framework - Learn the basics about making API requests. The base URL 
depends on the platform where your Qualys account is located. 


Introduction to Certificate View API Paradigm - Get tips on using the Curl command-line 
tool to make API requests. Every API request must authenticate using a JSON Web Token 
(WT) obtained from the Qualys Authentication API. 


Get API Notifications 


Subscribe to our API Notifications RSS Feeds for announcements and latest news. 


From our Community 
Join our Community 
API Notifications RSS Feeds 


Qualys API Framework 


The Qualys Certificate View API uses the following framework. 


Request URL 
The URL for making API requests respects the following structure: 
https://<baseurl>/<module>/<object>/<object id>/<operation> 


where the components are described below. 


<baseurl> The Qualys API server URL that you should use for API 
requests depends on the platform where your account 
is located. The base URL for Qualys US Platform 1 is: 
https:///gateway.qg1.apps.qualys.com 


<module> The API module. For the Certificate View API, the 
module is: "certview". 

<object> The module specific object. 

<object_id> (Optional) The module specific object ID, if appropriate. 

<operation> The request operation, such as count. 
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Qualys API Gateway URL 
The Qualys API URL you should use for API requests depends on the Qualys platform 
Click here to identify your Qualys platform and get the API URL 


This documentation uses the API gateway URL for Qualys US Platform 1 
(https://gateway.gg1.apps.gualys.com) in sample API requests. If you're on another 
platform, please replace this URL with the appropriate gateway URL for your account. 
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Introduction to Certificate View API Paradigm 


Authentication 


You must authenticate to the Qualys Cloud Platform using Qualys account credentials 
(user name and password) and get the JSON Web Token (JWT) before you can start using 
the Certificate View APIs. Use the Qualys Authentication API to get the JWT. 


For example, 


curl -X POST https://gateway.qgl.apps.qualys.com/auth -d 
"username-valuel&password-passwordValue&token-true&permissions-tru 
e" -H "ContentType: application/x-www-form-urlencoded" 


where gateway.gg1.apps.gualys.com is the base URL to the Qualys API server where your 
account is located. 


- username and password are the credentials of the user account for which you want to 
fetch Certificate View data 


- token should be true 
- permissions should be true 
- Content-Type should be "application/x-www-form-urlencoded" 


The Authentication API returns a JSON Web Token (JWT) which you can use for 
authentication during Certificate View API calls. The token expires in 4 hours. You must 
regenerate the token to continue using the Certificate View API. 


Using Curl 


Curlis a multi-platform command-line tool used to transfer data using multiple 
protocols. This tool is supported on many systems, including Windows, Unix, Linux and 
Mac. In this document Curl is used in the examples to build Qualys API requests using the 
HTTP over SSL (https) protocol, which is required. 


Want to learn more? Visit https://curl.haxx.se/ 


The following Curl options are used according to different situations: 


Option Description 
-X "POST" The POST method is required for all Certificate View API 
requests. 


-H "Authorization: [his option is used to provide a custom HTTP request header 
Bearer «token»" parameter for authentication. Provide the JSON Web Token (JWT) 
received from Qualys authentication API in the following format: 
Authorization: Bearer «token» 
For information about Qualys authentication API, see 
Authentication. 
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The sample below shows a typical Curl request using options mentioned above and how 
they interact with each other. 


curl -X POST "https://gateway.qgl.apps.qualys.com/auth' -H Content-Type: application/x- 
www-form-urlencoded' -d 
"username-john doe&password-john doe&token-true&permissions-true' 
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Chapter 2 - Certificate API 


Use these API functions to retrieve a list of certificates based on an input filter query (List 
Certview Certificates) and to retrieve asset details of a specific certificate having more 
than 1000 assets (List Assets for a Certificate). 


List Certview Certificates 
/certview/v1/certificates 
[POST] 


Use these API functions to List Certview Certificates to retrieve a list of certificates based 
on an input filter query and list. The response contains certificate details including 
associated host information and SSL/TLS related vulnerabilities and grades. 


Input Parameters 


filter (String) Optional) Filter the events list by providing a query using 
Qualys syntax. Refer to the How to Search topic in the online 
help for assistance with creating your query. 

For example - expiryGroup: Expired 

Refer to the list of tokens you can use to build the query: 
Search tokens 


pageNumber (Integer) Optional)The page to be returned. Starts from zero. 
pageSize (Integer) Optional) Provide the number of records per page to be 
included in the response. 
Default: 10. 


Maximum: 200 

For example, the total result set is 50 assets. If the page size is 
specified as 10, then the result is divided in 5 pages with 10 
assets each. 


sort (String) Optional)Sort the results using a Qualys token. 
For example - [("lastFound":"desc']] 


Authorization (String) Required) Authorization token to authenticate to the Qualys 
Cloud Platform. 
Prepend token with "Bearer" and one space. For example - 
Bearer authToken 
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certificateDetails (String) (Optional) Define the level of certificate attributes you want to 
list. Default value basic is used to fetch commonly used 
attributes. Use value extended to fetch these additional 
attributes: 
- Serial number 
- Auth Key Identifier 
- Subject Key Identifier 
- Key Usage 
- Base64 certificate 

Enhanced Key Usage 


The enhancedKeyUsage attribute returns a list of OIDs in the 
EKU attribute of the certificate. 
Some of the most commonly used OIDs are: 


1.3.6.1.5.5.7.3.1—Server Authentication 
1.3.6.1.5.5.7.3.2—Client Authentication 
1.3.6.1.5.5.7.3.3—Code Signing 
1.3.6.1.5.5.7.3.4—Email Protection 
1.3.6.1.5.5.7.3.8— Time Stamping 
1.3.6.1.5.5.7.3.9—OCSP Signing 


For more information refer to http://www.oid-info.com/ 


Notes: 


-This API supports both new and old query format. For more details refer to Query 
Example. 


- If you want to generate a CSV report for more than 10000 certificates, use scheduled 
reports from Qualys Cloud Platform. 


- If the data you are looking for is not available in CSV reports, use additional filter instead 
of requesting all certificates. 


You can use the following filters for better results: 
-Last Found Date « 1 month/3months/6 months 
-Expiration Date « 1 yr/ between 1yr and 2 yrs/etc 
-Approved vs Unapproved CAs vs Self-signed CAs 


Permissions 
- User must be a Super User or must have the CERTVIEW.API. ACCESS permission. 


Sample with all parameters defined 


Request: 


curl -X POST 
"https://gateway.qgl.apps.qualys.com/certview/vl/certificates" -H 
"Accept: application/json" -H "Content-Type: application/json" -d 
"{ \"filter\" : \"subject.name:www.qualys.com\", \"pageNumber\": 


10 
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0, N"pageSizeN" : 1j" -H "Authorization: Bearer <JWT Token>" 


Response: 
[ 


"keySize": 2048, 
"subject": ( 
"organization": "Qualys, Inc.", 
"locality": "Foster City", 
"name": "www.qualys.com", 
"State": "Calaförnia', 
"country": "Us", 
"organizationUnit": [] 
DÉI 
"validFrom": 1596067200000, 
"signatureAlgorithm": "SHA256withRSA", 
"issuer": ( 
"organization": "DigiCert Inc", 
"organizationUnit": [ 
"www.digicert.com" 
l, 
"name": "DigiCert SHA2 Extended Validation Server CA", 
"country": "US", 
"state": Ww", 
"certhash": 
"403e062a2653059113285baf80a0d4ae422c848c9£78£ad01f£c94bc5b87fefla" 


, 


vrecality b ww 
), 
"rootissuer": ( 
"organization": "DigiCert Inc", 
"organizationUnit": [ 
"www.digicert.com" 
l, 
"name": "DigiCert SHA2 Extended Validation Server CA", 
"country": "UST", 
"state". WM, 
"certhash": 
"7431e5f4c3clce1690774f0b61e05440883ba9a0led00ba6abd7806ed3bl18cf" 


d 


MOCCALLE e "t 
JI 
"instanceCount": 1, 
"dn": "CN=www.qualys.com, O=\"Qualys, Inc.\", L=Foster 
City, ST=California, C=US, serialNumber=3152140, 
StateOrProvince=Delaware, CountryName=US, businessCategory=Private 


TI 


Organization", 


"certhash": 
"61ffdf5ec74189b0f6£256fc42fe858bb04c1862c0f4cb9ec9d5f9bf4b2e0499" 


r 


"assets": [ 


{ 


af22afd91243" 


Information", 


Properties", 


Retrieval", 


"netbiosName": "", 


"assetId": 


"name": 


"operatingSystem": 


“Pages 
{ 


l; 


"www.qualys.com", 


[ 


"name": 
"uuid": 


"hostInstances": [ 


{ 


"protocols "tep", 
"sslProtocols": [ 
"TLSv1.2" 

] r 
"port": 443, 

"AU, 
"http", 


"grade": 
"service": 
"Vgdn'"z. SU 
"vulnerabilities": 
{ 
"title": 


"severity": 
86002 


"aid" : 


"title": 


"severity": 
38706 


"gid" : 


"title": 


"severity": 
38116 


"aid" : 
), 
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[ 


"NetScaler", 


1, 


1, 


1, 
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"a8999684-49c1-4492-87a9-8a9f77alef84", 


"Internet Facing Assets", 
"49af0a63-f5£2-4b2c-b942- 


"SSL Certificate - 


"SSL/TLS Protocol 


"SSL Server Information 
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"title": "SSL/TLS invalid protocol 
version tolerance", 
"severity": 1, 
"qid": 38597 
), 
{ 
"title": "HTTP Strict Transport 
Security (HSTS) Support Detected", 
"severity": 1, 
"gid": 86137 
), 
{ 
"title": "TLS Secure Renegotiation 
Extension Support Information", 


"severity": 1, 
"gid": 42350 


l; 


"vulnCount": 6 


1, 
"created": 1568753271000, 
"updated": 1600191908000, 
"assetlnterfaces": [ 
{ 
"hostname": "www.qualys.com", 
"address": "64.39.96.133" 


l; 


"certificateCount": 0 


l, 
"selfSigned": false, 
"validTo": 1628078400000, 
"issuerCategory": "unapproved", 
"subjectAlternativeNames": ( 
"IP Address": null, 
"DNS Name": [ 
"qualys.com", 
"www.qualys.com" 


hy 

"lastFound": 1600191908000, 
"extendedValidation": true, 
"orderStatus": "" 
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} 


Sample with certificate Details parameter set to Basic 


Request: 


curl -X POST 
"https://gateway.qgl.apps.qualys.com/certview/vl/certificates" -H 
"Accept: application/json" -H "Content-Type: application/json" -d 
"{ N"filterN" : \"subject.name:www.qualys.com\", \"pageNumber\": 
0, N"pageSizeN" : 1, \"certificateDetails\": \"basic\"}" -H 
"Authorization: Bearer <JWT Token>" 


Response: 
[1 

"keySize": 2048, 

"subject": ( 
"organization": "Qualys, Inc.", 
"locality": "Foster City", 
"name": "www.qualys.com", 
"state": "California", 
"country": "US", 
"organizationUnit": [] 

DÉI 

"validFrom": 1596067200000, 

"signatureAlgorithm": "SHA256withRSA", 

"issuer": ( 
"organization": "DigiCert Inc", 
"organizationUnit": [ 

"www.digicert.com" 
1, 
"name": "DigiCert SHA2 Extended Validation Server CA", 
"country": "US", 
"state": "", 
"certhash": 
"403e062a2653059113285baf80a0d4ae422c848c9f78fad0lfc94bc5b87fefla" 


r 


vlocality A VY 
DÉI 
"rootissuer": ( 
"organization": "DigiCert Inc", 
"organizationUnit": [ 
"www.digicert.com" 
1, 
"name": "DigiCert SHA2 Extended Validation Server CA", 
"country's "US"; 
"state": "", 
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"certhash": 
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"7431e5f4c3c1ce4690774£0561e05440883ba9a01ed00ba6abd7806ed3b118cf" 


d 


City, 


"locality": 
JI 
"instanceCount": 
"dn": 


ST=California, 


"CN=www.qualys.com, 
C-US, 


mu 


1, 


O-N"Qualys, 
serialNumber=3152140, 


TRE EVIG 


L=Foster 


StateOrProvince=Delaware, CountryName=US, businessCategory=Private 
Organization", 


"certhash": 


"6lffdf5ec74189b0f6f256fc42fe858bb04c1862c0f4cb9ec9d5f9bf4b2e0499" 


, 


"assets": [ 


{ 


"netbiosName": "", 


"assetId": 


"name": 


"operatingSystem": 


"tags": 
{ 


af22afd91243" 


E 


"www.qualys.com", 


[ 


"name": 
Trei 


"hostInstances": [ 


{ 


Information", 


Properties", 


"protocol": "top", 
"sslProtocols": [ 
"TLSv1.2" 

1, 
"port": 443, 

"AU, 
NEED te 


"grade": 
"Service": 
Wen 215 
"vulnerabilities": 
{ 
"title": 


"severity": 
86002 


"gid" : 


"title": 


T3 


[ 


"NetScaler", 


1, 


"a8999684-49c1-4492-87a9-8a9f77alef84", 


"Internet Facing Assets", 
"49af0a63-f5f2-4b2c-b942- 


"SSL Certificate - 


"SSL/TLS Protocol 
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"severity": 1, 
"gid": 38706 


"title": "SSL Server Information 
Retrieval", 

"severity": 1, 

"aid": 38116 


"title": "SSL/TLS invalid protocol 
version tolerance", 

"severity": 1, 

"qid": 38597 


"title": "HTTP Strict Transport 
Security (HSTS) Support Detected", 
"severity": 1, 
"gid": 86137 
), 
{ 
"title": "TLS Secure Renegotiation 
Extension Support Information", 


"severity": 1, 
"qid": 42350 


l; 


"vulnCount": 6 


1, 
"created": 1568753271000, 
"updated": 1600191908000, 
"assetInterfaces": [ 
{ 
"hostname": "www.qualys.com", 
"address": "64.39.96.133" 


l; 


"certificateCount": 0 


l, 

"selfSigned": false, 

"validTo": 1628078400000, 
"issuerCategory": "unapproved", 
"subjectAlternativeNames": ( 
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"IP Address": null, 

"DNS Name": [ 
"qualys.com", 
"www.qualys.com" 


b, 

"lastFound": 1600191908000, 
"extendedValidation": true, 
"orderStatus": "" 


] 


Sample with certificate Details parameter set to Extended 


Request: 


curl -X POST 
"https://gateway.qgl.apps.qualys.com/certview/vl/certificates" -H 
"Accept: application/json" -H "Content-Type: application/json" -d 
"{ \"filter\" : \"subject.name:www.qualys.com\", \"pageNumber\": 
0, \"pageSize\" : 1, \"certificateDetails\": \"extended\"}" -H 
"Authorization: Bearer <JWT Token>" 


Response: 


[1 
"keySize": 2048, 
"subject": ( 
"organization": "Oualys, Inc.", 
"locality": "Foster City", 
"name": "www.qualys.com", 
"state" + "Calmfoörnia', 
"country": "Ust, 
"organizationUnit": [] 
DÉI 
"validFrom": 1596067200000, 
"signatureAlgorithm": "SHA256withRSA", 
"issuer": ( 
"organization": "DigiCert Inc", 
"organizationUnit": [ 
"www.digicert.com" 
l, 
"name": "DigiCert SHA2 Extended Validation Server CA", 
"country": "US", 
"state "mm 
"certhash": 
"403e062a2653059113285baf80a0d4ae422c848c9f78fad0lfc94bc5b87fefla" 


, 
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"locality": "" 
DÉI 
"rootissuer": ( 
"organization": "DigiCert Inc", 
"organizationUnit": [ 
"www.digicert.com" 
l, 
"name": "DigiCert SHA2 Extended Validation Server CA", 
"country's "US", 
"State": MW) 
"certhash": 
"7431e5f4c3clce41690774f0b61e05440883ba9a0led00bab6abd7806ed3bl18cf" 


r 


"locality": "" 
DÉI 
"instanceCount": 1, 
"dn": "CN-www.qualys.com, O=\"Qualys, Inc.\", L-Foster 
City, ST=California, C=US, serialNumber=3152140, 
StateOrProvince=Delaware, CountryName=US, businessCategory=Private 
Organization", 
"certhash": 
"61ffdf5ec74189pb0f6f256fc42fe858bb04c1862c0f41cbY9ec9d5f9bf4b2e0499" 
"assets": [ 
{ 
"netbiosName": "" 
"assetId": "a8999684-49c1-4492-87a9-8a9f77alef84", 
"name": "www.qualys.com", 
"operatingSystem": "NetScaler", 
"tags": [ 
{ 
"name": "Internet Facing Assets", 
"uuid": "49af0a63-f5f2-4b2c-b942- 
af22afd91243" 


l; 
"hostInstances": [ 
{ 
"protocol. “Seep, 
"sslProtocols": [ 
"TLSv1.2" 

l; 
"port": 443, 
"grade": "A", 
"service": "http", 
Mi Gdns. 41, 
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"vulnerabilities": [ 


{ 


Information", 


Properties", 


Retrieval", 


version tolerance", 


Security (HSTS) 


}, 
{ 


Extension Support Information", 


l; 


"vulnCount": 


l; 
"created": 
"updated": 


"title": "SSL Certificate - 


"severity": 1, 


"qid": 86002 


"title": "SSL/TLS Protocol 


"severity": 1, 


"qid": 38706 


"title": "SSL Server Information 


"severity": 1, 


"qid": 38116 


"title": "SSL/TLS invalid protocol 


"severity": 1, 


"did": 38597 


"title": "HTTP Strict Transport 


Support Detected", 


"severity": 1, 


"qid": 86137 


"title": "TLS Secure Renegotiation 


"severity": 1, 


"qid": 42350 


6 


1568753271000, 
1600191908000, 


"assetlnterfaces": [ 


{ 


"hostname": 
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"www.qualys.com", 
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"address": "64.39.96.133" 
} 
l; 
"CertificateCount": 0 
} 

l; 
"selfSigned": false, 
"validTo": 1628078400000, 
"issuerCategory": "unapproved", 
"serialNumber": "0e66f3475fd186c97dbd7fc274b0ddca", 


"subjectAlternativeNames": 


"DNS Name": [ 
"qualys.com", 


{ 


"www.qualys.com" 


l; 

"IP Address": 
DÉI 
"lastFound": 
"extendedValidation": 
"orderStatus": "T", 
"keyUsage": [ 

"Digital signa 


"Key nt 


ncipherm 


l; 


null 


1600191908000, 


true, 


" 


ture", 


"rawData": "----- 


EGIN C 


ERTIFICATE 


NXnMIIGyjCCBbKgAwIBAgIQDmbzRl/ 
\nMQswCQYDVQQGEWJVUZEVMBMGA1U 


\nd3cuZGlnaWNlcnQuY2 9tMTQwMgY 
UnIFZhbGIKYXRpb24gU2VydmVyI 
\nMDAwMFowgckx 
\nBAGCNzwCAQMTA1VTMRkwFwYL 


Rhs 
EChMM 
DVOOD 
ENBMBAX 
HTADbBgNVBA8MFFByaXZhaGUgT3JnYW5pemFOaW9uM 
KwYBBAGCNZwCAQITCE 


19vX/CdLDdyjANBgkah 
RGlnaUNlcnQgSW5jM 
EytEaWdpO2VydCBTS 
DTIwMDczM 


kiG9wOBAOSFADBl 
RkwFwYDVOOLExB3 
iEylEV4dGVuZGVk 
DAwMDAwMFOXDTIxMDgwNDEy 
RMWEOY 
RlbGF3YXJIMRAw 


h 


I 


VnEwczMTUYMTOWMOSWCOYDVOOG 


EwJV 


Uz 


E TMBEGA1U 


ECBMKO2FsaWZvcm5pYT! 


\nA1LUEBxMLRm9zdGVyIENpdH 
\nAxMOd3d3LnF1YWx5cy5jb20wgg 
\nAQDOXOJ/OXDMh0 rWLUE5z 
\n8F7xA01/PUA1L£ENYGru3b8I1 
\niP7 
\n5aet+HOztoyfNmp 


h 


EfDPV 


DcV4fGD6e/b 


VnpL42ejF2r0H9EpqYdQ2003xG4GMY! 
AVfmY644zAGMBAAGjggL/MIIC+zAfBgNVHSM 
HO4EFgQUSpkxgc8NwL4vkE3 yAtWk7obFjtww 
IKcXVhbHlzLmNvbYIlOd3d3LnFlYWx5cy5jb20wDgYDVRO 
UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQCDAjBl1BgNVHR8EbjBs 
kaWdpY2VydC5jb20vc2hhMilldilzZXJ2Z2XIt 


\nXnB 
\nlqc 


kRS9x6VBF 
t7vNKYAplOy 
\nJQYDVRORBB4wHI 
\nBAQDAgWgMBOGA1 
\nMDSgMqAwhi5odH 


DT 


RwOi8vY3JsMy5 


113422k 


U+PjWDZAdBgNV 


kxFTATBgNVBAOTDFFlYWx5cywgSW5jLjEXMB 
EiMA0GCSqGSIb3DQEBAQUAAAMIBDwAwggE 
8OFD 
D3zvTgl4gTbtQAx8 
H+X9VV/LBcUVeETiiGTQsASMzqn5SAxVELrqUrbN2cFRa8RrNS4ho2w5XFNV+D 
9ImkSwW+Q2I10Vm8pXqTYZ3Cfp0/eFtnD2LWYKq 
EFZmq744q7cQ8MGQQ0Z1mQTEpIDbfy4lou/9p 


8 


KAOIB 
ED/7Q8VAwIYlTK51IA4pVl 
UDXbnJISVBI6H40+F3£T 


UTPO7LrrThoA 


EGDAWJBO901C1 


PAOH / 


NnZzIuY3JsMDSgMqAwhi5o0dHRwOi8vY3JsSNC5kaWdpY2VydC5jb20ve2hhMilldilz 


sM 


ESGAlUdIAR 


EM 


NnZXJ2ZXItZzIuY3J 


NnAgEWHGhOdHBzOi8vd3d3LmRpZ21jZXJOLmNVbSO9DUFMWBWYFZ4 


EIwNwYJYIZIAYb9bAIBMCOwKAYIKwYBBQUH 
EMAOEwgYgGCCsG 
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NnAQUFBWEBBHwwejAkBgyrByEFBOcwAYYYaHROcDovL29jc3AuZGlnaWNlenQuY29t 
XnMFIGCCSGAQUFBZzAChkZodHRwOi8vY2FjZXJOcy5kaWdpY2VydC5jb20vRGlnaUNl 
NXncnRTSEEyRXhOZW5kZWRWYWxpZGFOaW9uU2VydmVyQ0OEuY3JOMAwGAl1UGdEwEB/wQC 
\nMAAwggEEBgorBgEEAdZ5AgQCBIHIBIHyAPAAdgD2XJQv0XcwIhRUGAgwlFa0400T 
NXnGTO/3wwvIAvMTvFk4AWAAAXOg8dW9AAAEAwBHMEUCIB9GUjDgcZrgO42297jUglBk 
NXnxOPwlZvhBADnnPEthAqiAiEAlXkIrIz8Cri9JqJws5OMBcLu3MxSepQz3183kiDZ 
NnGuAAdgBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXOg8dxpAAAE 
NnAwBHMEUCIAkOqPCGzpKhgO4JXpJGA4HGNrWJwxfuFLR8MECVSQVVIAiEAqSmtKbR8 
VXnVnC/SdPhqjvvYsh4hf9/LvYh6EwVrYiM7bOwDOYJKoZIhvcNAQELBQADggEBALEX 
NnRIBiVmMmHWiQvlY9wKzmab5Sy4dg6+QtylR9ycPvItgz8Q0f0w45xBT6celK0Od7Qmy 
NndDG+EbhojYjT382zRjwWHizDmr2BKtURojc2zWIwwNpSbtLtBnSwRUJQ7Y+dq70mM 
NAnkKZ8xzzjtVS82ayvVYLUkSJmtzPcj7w22100ryMCzvlQDhOmoOkNJPghONxqEKaq 
Nnuk/XqX5LTj0p8Z9V6YTb6uHVbucgJaDwxjIBrVGq8SleIvKd++c2QslZUS5tWydz 
NnijniRRJIOtwr/Go3H5sDZNVXNISf04+DnjFKAIAKWUVKNLLVmcE+ws2iQpcL2Ita6 
NnDN+frzrIn9/MAz4tlGO=Vn----- END CERTIFICATE----- Wë 
"enhancedKeyUsage": [ 
ee SOs e 43V; 
Ne E E LB EA 


I 


I 
"subjectKeyldentifier": 
"4a993181cf0dc0be2£904d£202d5a4ee86c58edc", 
"authKeyIdentifier": 
"3dd350a5d6aDadeef34a600a65d321d4f£8f£8d60f" 
} 
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List Assets for a Certificate 


/certview/v1/certificates/{certhash}/assets 
[POST] 


Use this API function to retrieve a list of the assets of the specific certificate. Use cert hash 
as an input query. The response contains all the asset details of the specific certificate. 
View details of assets like tags and instances. Use this API to get all the assets when the 
certificate has more than 1000 assets. If the total count is greater than the number of 
results returned, you can fetch the next page by calling the API again with the next page 
number. 


Input Parameters 


certhash (string) Query parameter- Provide hash of the certificate. 


attributes (Optional) Provide specific attributes to display additional 
asset details based on 
-tags: View certificate list of assets with specified tags. 
-hostInstances: View the certificate list which contains list of 
instances on which this certificate was found. 
-tags and hostInstances: View the certificate list which 
contains all the primitive details of the assets along with the 
asset tags and instances on which this certificate was found. 


filter (String) Optional) Filter the events list by providing a query using 
Qualys syntax. Refer to the How to Search topic in the online 
help for assistance with creating your query. 

For example - expiryGroup: Expired 

Refer to the list of tokens you can use to build the query: 
Search tokens 


pageNumber (Integer) Optional) The page to be returned. Starts from zero. 
pageSize (Integer) Optional) Provide the number of records per page to be 
included in the response. 
Default: 10. 


Maximum: 200 

For example, the total result set is 8000 assets. If the page size 
is specified as 80, then the result is divided in 100 pages with 
80 assets each. 


Note: Use combination of pageNumber and pageSize parameters to ensure that the 
results returned are less than 10000 records. If it exceeds 10000 records then an error 
message is displayed. 


sort (String) (Optional) Sort the results ascending or descending order. 
By default the result is sorted by {updated: desc} 


Note: This API supports only new query format. For more details refer to Query Example. 


Permissions 
- User must be a Super User or must have the CERTVIEW.API.ACCESS permission. 
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Query Example 


Example If you want to view the certificate with asset name server1. 
Old Format asset.name:server1 
New Format asset:(name:server1) 


Sample with all parameters defined 


Reguest: 


curl -X POST 
"https://gateway.qgl.apps.qualys.com/certview/vl/certificates/<certhash>/ 
assets" --header "Accept: application/json" -H "Authorization: Bearer «JWT 
Token>" -d "{\"certificateDetails\":\"basic\" 


Response: 
[ 


"netbiosName":"", 
"assetId":"8d6d19b5-9201-445b-87c2-b6laeb3f4fa5", 
"name":"ABC.COM", 
"operatingSystem":"NetScaler", 
"created":1587464966000, 
"updated":1625213136000, 
"assetlnterfaces":[ 
( 
"hostname":"ABC.COM", 
"address":"10.XXX.X.Xx" 


l, 


"certificateCount":0 


"netbiosName":"", 
"assetId":"2a9428e4-9130-4979-9f8c-dcfe86579c39", 
"name": "Serverl", 
"operatingSystem":"NetScaler", 
"created":1591703972000, 
"updated":1624014415000, 
"assetlnterfaces":[ 
( 
"hostname":"ABC.COM", 
"address":"10.XXX.X.Xx" 


l; 


"certificateCount":0 
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Chapter 3 - Analyze Certificate API 


Use these API functions to analyze information based on host or IP. 


Use this API to retrieve the list of endpoints that are associated with an FQDN in the 
CertView inventory 


Analyze Certificate Information 
/certview/v1/analyze 


[POST] 


Input Parameters 


host (String) (Required) Host on which scan is executed, it can be IP 
For example - www.ssllabs.com, 10.10.10.10 


Authorization (String) (Required) Authorization token to authenticate to the Qualys 
Cloud Platform. 
Prepend token with "Bearer" and one space. For example - 
Bearer auth Token 


Permissions 
- User must be a Super User or must have the CERTVIEW.API. ACCESS permission. 


Sample - Host is IP 


Request: 
curl -X POST "gateway.qgl.apps.qualys.com/certview/vl/analyze" -H 
"Accept: application/json" -H "Content-Type: application/json" -d 
"{\"host\":\"XXX.XXX.XXX.XXX\"}" -H "Authorization: Bearer «JWT 


Token>" 
Response: 
{ 
"host": "XXX.XXX.XXX.XXX", 
"endpoints": [ 
{ 
"ipAddress": "XXX.XXX.XXX.XXX", 
"port": 443, 
"service": "http", 
"serverName": "", 
"grade": "A", 
"gradeTrustIgnored": "A", 
"hasWarnings": false, 
"exceptional": false 
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Sample - Host is FQDN 


Request: 
curl -X POST "gateway.qgl.apps.qualys.com/certview/vl/analyze" -H 
"Accept: application/json" -H "Content-Type: application/json" -d 
"{\"host\":\"www.qualys.com\"}" -H "Authorization: Bearer «JWT 


Token»" 
Response: 
{ 
"host": "www.qualys.com", 


"endpoints": [ 


{ 


"ipAddress": "XXX.XXX.XXX.XXX", 
"port": 443, 

"service": "http", 
"serverName": "", 

"grade": "A", 
"gradeTrustIgnored": "A", 
"hasWarnings": false, 
"exceptional": false 
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Chapter 4 - Endpoint API 
List Endpoints 


Use these API function to retrieve detailed endpoint information. 


List Endpoints 
/certview/v1/getEndpointData 
[POST] 


Input Parameters 


Authorization (String) (Required) Authorization token to authenticate to the Qualys 


Cloud Platform. 


Prepend token with "Bearer" and one space. For example - 


Bearer authToken 


ip (String) Required) Host IP for which the endpoint details are required. 


port (Integer) Used to filter the endpoint de 
n Certview scan, we can scan 


filter the endpoint data based 


tails based on port. 


multiple ports as certificates 


can be found on multiple ports. Define the port number to 


on port. 


fqdn (String) Used to filter the endpoint de 


Also, this field is required if th 
is specified. 


tails based on FQDN. 


Note: For filtering based on fqdn, port is required parameter. 


e service or protocol parameter 


service (String) Used to filter the endpoint de 


Also, this field is required if th 
specified. 


tails based on service. 


Note: For filtering based on fqdn, port is required parameter. 


e fqdn or protocol parameter is 


protocol (String) Used to filter the endpoint de 


tails based on protocol. 


Note: For filtering based on fqdn, port is required parameter. 


Also, this field is required if th 
is specified. 


e service or protocol parameter 


Permissions 


- User must be a Super User or must have the CERTVIEW.API. ACCESS permission. 
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Sample with all parameters defined 


Request: 


curl -X POST 
"https://gateway.qgl.apps.qualys.com/certview/vl/getEndpointData" 
-H "Accept: application/json" -H "Content-Type: application/json" 
-d "{ \"ip\": \"XXX.XXX.XXX.XXX\", \"port\": 443, Virfgdm VU, 
\"service\": \"tcp\"}" -H "Authorization: Bearer <JWT Token>" 


Response: 
[ 


"ipAddress": "XXX.XXX.XXX.XXX", 
"port": 443, 
"lastFound": 1600191908000, 


"service": "http", 
"grade": "A", 
"gradeTrustIgnored": "A", 
"hasWarnings": false, 
"isExceptional": false, 
"details": ( 
"certChains": [ 


{ 


"certlds": [ 


"6lffdf5ec74189b0f6f256fc42fe858bb04c1862c0f4cb9ec9d5f9bf4b2e0499" 


, 


"403e062a2653059113285baf80a0d4ae422c848c9£78f£ad01fc94bc5b87fefla" 


, 


"7431e5f4c3c1ce4690774£0561e05440883ba9a01ed00ba6abd7806ed3b118cf" 


Li 
"trustPaths": [ 


{ 


"certlds": [ 


"6lffdf5ec74189b0f6f256fc42fe858bb04c1862c0f4cb9ec9d5f9bf4b2e0499" 


, 


"403e062a2653059113285baf80a0d4ae422c848c9f£78fad01fc94bc5b87fefla" 


, 


"7431e5f4c3c1ce4690774£0561e05440883ba9a01ed00ba6abd7806ed3b118cf" 
l; 


AEEUSEN SL 
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{ 
"rootStore": "Mozilla", 
"isTrusted": true 
} 
] 
} 
l; 
"noSni": false 
} 
l; 
"protocols": [ 
{ 
WEG JG, 
"name": "TLS", 
"version": "1,2" 
} 
l; 
"suites": [ 
{ 
"protocok"+ 771, 
"Erst p 
{ 
"id": 103, 
"name": "DHE-RSA-AES128-SHA256", 


"cipherStrength": 
1 kxType" g " DH" 


"id" : 


"name": 


107, 


"cipherStrength": 
1 kxType" å 1 DH" 


"iq" : 


"name": 


158, 


"cipherStrength": 
1 kxType" S " DH" 


"Tai S 
"name": 


159, 


"cipherStrength": 
1 kxType" H 1 DH" 


), 
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128, 


"DHE-RSA-AES256-SHA256", 


256, 


"DHE-RSA-AES128-GCM-SHA256", 


128, 


"DHE-RSA-AES256-GCM-SHA384", 


256, 
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( 
"id": 49171, 
"name": "ECDHE-RSA-AES128-SHA", 
"cipherStrength": 128, 
"kxType": "ECDH" 
), 
{ 
"id": 49172, 
"name": "ECDHE-RSA-AES256-SHA", 
"CipherStrength": 256, 
"kxType": "ECDH" 
), 
{ 
"id": 49191, 
"name": "ECDHE-RSA-AES128-SHA256", 
"cipherStrength": 128, 
"kxType": "ECDH" 
), 
{ 
"id": 49192, 
"name": "ECDHE-RSA-AES256-SHA384", 
"cipherStrength": 256, 
"kxType": "ECDH" 
), 
{ 
"id": 49199, 
"name": "ECDHE-RSA-AES128-GCM-SHA256", 
"CipherStrength": 128, 
"kxType": "ECDH" 
), 
( 
"id": 49200, 
"name": "ECDHE-RSA-AES256-GCM-SHA384", 
"cipherStrength": 256, 
"kxType": "ECDH" 
} 


l; 

"vulnBeast": false, 
"renegSupport": 2, 
"compressionMethods": 0, 
"supportsRc4": false, 
"rc4WithModern": false, 
"rc4Only": false, 
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"forwardSecrecy": 4, 
"supportsAead": true, 
"protocolIntolerance": 48, 
"heartbleed": false, 
"heartbeat": false, 
"openSslCcs": 1, 
"openSSLLuckyMinus20": 1, 
"ticketbleed": 1, 
"bleichenbacher": 1, 
"poodle": false, 
"poodleTls": 1, 
"fallbackScsv": false, 
"freak": false, 

"hassct' e. 1; 

"logjam": false, 
"drownVulnerable": false, 
"zombiePoodle": 1, 
"goldenDoodle": 1, 
"supportsCBC": true, 
"zeroLengthPaddingOracle": 1, 
"sleepingPoodle": I 
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Chapter 5 - Enroll and Renew Certificate APIs 


Chapter 5 - Enroll and Renew Certificate APIs 


Use these API functions to enroll new or renew existing certificates using the new APIs. 
The following APIs enable you to complete the end-to-end enrollment or renewal 
workflow: 


- Create Enrollment/Renewal Certificate Request 
- Update Certificate Request 

- Update Status of Certificate Request 

- View Certificate Request 

- List DigiCert Organizations 

- List DigiCert Products 

- List Digicert EV Approvers 


Permissions 
- User must be a Super User or must have the CERTVIEW.API.ACCESS permission. 
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Create Enrollment/Renewal Certificate Request 


Use this API to enroll or renew certificates 


APIs affected 


/certview/rest/public/v1/certificates/enrollment/digicert/orders 


Method 


POST 


New or Updated APIs 


Input Parameters 


Input parameters for Create and Update APIs 


approverUserNames (array) 


(Required) Array of valid user names. User roles must be 
manager, PKI admin or approvers. 


intermediateCA (object) 


(Required) Intermediate Certificate Authority information. 


Make sure: 


- At least one of the params certhash, commonName or 
serialNumber is required. 

- CA is DigiCert's public intermediate CA 
- CA is configured with CA API key 


certhash (string) 


Optional) Provide hash of the certificate. 


commonName (string) 


Optional) Fully qualified domain name of the Web server that 
will receive the certificate 


serialNumber (string) 


Optional) A short, unique identifier for each certificate 
generated by the certificate issuer 


certificate (object) Required) 
commonName (string) Required) Provide a wildcard character if the product name is 
of wildcard type. 


csr (object) 


Required) Certificate Signing Request Information 


autoGenerateCSR (boolean) 


Optional) If thi 


s flag is set to True then Qualys will generate 


csr value and return private key info in the response of the 
API. If this field is set to True then encoded csr field can not 


be set By defau 


lt the value is set to False. 


encodedCSR (string) 


Optional) A va 


id 


Encoded Certificate Sign 


ing Request 


organizationUnits (array) 


Optional) provi 


de value for the OU field for the certificate. 


signatureHash (string) 


Required) Certificate's signing algorithm h 
values: SHA-256, SHA-384, SHA-512 


ash. Accepted 


renewal (object) 


Optional) Required for certificate renewa 


request. 


digicertPreviousOrderld 
(integer) 


then add the previous request id. 


Required) If the request is a renewal of a previous request 
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renewa 


lOfCertificate (string) (Required) Provide certhash of the old certificate for which 
this renewal request is required. 
Make sure: 
- certificate is in customer's account 
- certificate is leaf certificate 
- certificate is not in IN RENEWAL status 


validity (object) (Required) Provide any one of the following values: 
customExpirationDate, validityYears and validityDays params 
Make sure only one value is provided in a request. 

customExpirationDate (date) Optional) Expiry date of the certificate. 

validityYears (integer) Optional) Number of years that the certificate is valid. 

validityDays (integer) Optional) Number of days that the certificate is valid. 

digicertOrganizationId Required) Get organization id using List DigiCert 

(integer) Organizations API 

digicertProductNameld Required) Get product name id using List DigiCert Products 

(integer) API 

digicertEVApproverUserlds Optional) Required when product name is of EV type. Get EV 

(array) Approvers user id using List Digicert EV Approvers API 

comment (string) Optional) Any additional comments. 


Sample to Submit Certificate Enrollment Request 
API request: 


curl -X POST 
"https://gateway.qgl.apps.qualys.com/certview/vl/certificates/digi 
cert/orders" -H "Accept: application/json" -H "Content-Type: 


application/json" -d '{ "approverUserNames": [ "quays sd" ], 
"certificate": ( "commonName": "ABC.com", "csr": { 
"autoGenerateCSR": true }, "organizationUnits": [ "QA" ], 
"SignatureHash": "SHA-256" }, "comment": "api test", 
"digicertOrganizationId": 525858, "digicertProductNameId": 
"private ssl plus", "intermediateCA": ( "certhash": 


"a52d05988b61a33d6ac3edb449ebp47150£a5b7a26c7df£c4e61f905ca36e165ee" 
), "validity": ( "validityYears": I ) }' -H "Authorization: Bearer 
<jwt token»" 


Response: 


{ 
"uuid": "cb95d100-ec30-11ea-920d-eb66140967e3", 


"intermediateCA": ( 
"name": "DigiCert Test SHA2 Intermediate CA-1", 
"certhash": 


"a52d05988b61a33d6ac3edb449ebp47150£a5b7a26c'7d£c4e61f905ca36e165ee" 
), 
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"approverUserNames": [ 
"quays sd" 


l; 


"requesterUserName": "quays_sd", 


"certificate": { 


"commonName": "ABC.com", 


"organizationUnits": [ 
1 QA" 


l; 


"signatureHash": "SHA-256", 
"encodedCSR": "<csr>", 
"privateKey": "<private key>", 


"dnsNames": null 


), 


"renewal": 
“validity s f 
"validityYears": 1, 


null, 


"validityDays": null, 


"customExpirationDate": null 


), 


"digicertOrganization": { 


"id": 
), 


"digicert 


"digicert 
"status": 
"caStatus 


Wwe 


"created": 
"updated": 


525858 


ProductNameId": "private ssl plus", 
EVApproverUserIds": null, 


"SUBMITTED", 


mu 
, 


"2020-09-01T08:54:50.473+0000", 
"2020-09-01T08:54:50.473+0000" 
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Update Certificate Request 


Use this API to edit an existing enrollment/renewal request 


APIs affected certview/rest/public/v1/certificates/enrollment/digicert/orders/[ce 
rtificate order uuid) 

Method PUT 

New or Updated APIs New 


Refer to Input Parameters 


Sample to Update Certificate Request 
API request: 


curl -X PUT 
"https://gateway.qgl.apps.qualys.com/certview/vl/certificates/digi 
cert/orders/cb95d100-ec30-1lea-920d-eb66140967e3" -H "Accept: 
application/json" -H "Content-Type: application/json" -d '( 


"approverUserNames": [ "quays sd" ], "certificate": { 
"commonName": "ABC.com", "csr": ( "autoGenerateCSR": true |, 
"organizationUnits": [ "QA" ], "signatureHash": "SHA-256" |, 
"comment": "Updated api test comment", "digicertOrganizationId": 
525858, "digicertProductNameId": "private ssl plus", 
"intermediateCA": ( "certhash": 


"a52d05988b61a33d6ac3edb449ep47150£a5b7a26c7df£c4e61f905ca36e165ee" 
), "validity": ( "validityYears": 1 } )' -H "Authorization: Bearer 
<jwt token>" 


Response: 


{ 
"uuid": "cb95d100-ec30-11ea-920d-eb66140967e3", 


"intermediateCA": ( 
"name": "DigiCert Test SHA2 Intermediate CA-1", 
"certhash": 


"a52d05988b61a33d6ac3edb449ep47150£a5b7a26c7df£c4e61f905ca36e165ee" 


), 
"approverUserNames": [ 


"quays sd" 
l, 
"requesterUserName": "quays_sd", 
"certificate": { 
"commonName": "ABC.com", 
"organizationUnits": [ 
"QA" 
1, 
"signatureHash": "SHA-256", 
"encodedCSR": "<csr>", 
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"privateKey": "<private key>", 
"dnsNames": null 


), 


"renewal": 
"validity": ( 
"validityYears": 1, 
"validityDays": null, 
"customExpirationDate": null 


), 


null, 


"digicertOrganization": { 


"ig" * 
DÉI 
"digicert 


"digicert 
"status": 
"caStatus 


525858 


ProductNameId": "private ssl plus", 


Wwe 


"created": 
"updated": 


EVApproverUserIds": null, 


"SUBMITTED", 


vn 
r 


"2020-09-01T08:54:50.473+0000", 
"2020-09-01T08:58:58.138+0000" 
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Update Status of Certificate Request 


Use this API to approve, reject, or cancel an existing enrollment/renewal request 


APIs affected certview/rest/public/v1/certificates/enrollment/digicert/orders/{ce 
rtificate_order_uuid}/status 

Method PUT 

New or Updated APIs New 


Input Parameters 


Input parameters for Status update API 


Ia 


status (string) (Required) Provide one of the following: APPROVED, 
CANCELLED, REJECTED 
Make sure: 
- Only one of approvers, pki or manager can approve, reject or 
cance 
- Once approved request can not rejected or canceled 


comment (string) (Required) Comments about status change. 


Sample to Update Status of Certificate Request 


API request: 
curl -X PUT 
"https://gateway.qgl.apps.qualys.com/certview/vl/certificates/digi 
cert/orders/cb95d100-ec30-11ea-920d-eb66140967e3/status" -H 
"Accept: application/json" -H "Content-Type: application/json" -d 
' 
{ 


"comment": "API request Cancelled", 

"status": "CANCELLED" 

}' -H "Authorization: Bearer <jwt token>" 
Response: 


No Content 
Response Code: 204 
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Use this API to get details for specified request 


APIs affected 


certview/rest/public/v1/certificates/enrollment/digicert/orders/{ce 
rtificate_order_uuid} 


Method 


GI 


ET 


New or Updated APIs 


Input Parameters 


Input parameters for View certificate req 


uest API 


uuid (string) 


(Required) U 


UID of the certificate 


approverUserNames (array) 


(Required) Array of valid user names. User roles must be 


manager, PK 


admin or approvers. 


requesterUserName (string) 


Requester user name. 


intermediateCA (object) 


(Required) In 
Make sure: 


termediate Certificate Authority information. 


- At least one of the params certhash, commonName or 
serialNumber is required. 

- CA is DigiCert's public intermediate CA 

- CA is configured with CA API key 


certhash (string) 


Optional) Provide hash of the certificate. 


commonName (string) 


will receive t 


Optional) Fully qualified domain name of the Web server that 


he certificate 


serialNumber (string) 


Optional) A 


short, unique identifier for each certificate 


generated by the certificate issuer 


certificate (object) 


Required) 


commonName (string) 


Required) Provide a wildcard character if the product name is 
of wildcard type. 


csr (object) 


Required) Certificate Signing Request Information 


autoGenerateCSR (boolean) 


Optional) If 


this flag is set to True then Qualys will generate 


csr value and return private key info in the response of the 
API. If this field is set to True then encoded csr field can not 
be set By default the value is set to False. 


encodedCSR (string) 


Optional) A valid Encoded Certificate Signing Request 


organizationUnits (array) 


Optional) provide value for the OU field for the certificate. 


signatureHash (string) 


Required) Ce 
values: SHA- 


rtificate's signing algorithm hash. Accepted 
256, SHA-384, SHA-512 


renewal (object) 


Optional) Required for certificate renewal request. 


digicertPreviousOrderld 
(integer) 


Required) If 


the request is a renewal of a previous request 


then add the previous request id. 
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renewalOfCertificate (string) (Required) Provide certhash of the old certificate for which 
this renewal request is required. 
Make sure: 
- certificate is in customer's account 
- certificate is leaf certificate 
- certificate is not in IN RENEWAL status 


validity (object) (Required) Provide any one of the following values: 
customExpirationDate, validityYears and validityDays params 
Make sure only one value is provided in a request. 

customExpirationDate (date) Optional) Expiry date of the certificate 

validityYears (integer) Optional) Number of years that the certificate is valid 

validityDays (integer) Optional) Number of days that the certificate is valid 

digicertOrganizationId Required) Get organization id using List DigiCert 

(integer) Organizations API 

digicertProductNameld Required) Get product name id using List DigiCert Products 

(integer) API 

digicertEVApproverUserlds Optional) Required when product name is of EV type. Get EV 

(array) Approvers user id using List Digicert EV Approvers API 

status (string) Optional) Provide any of the following values: CANCELLED, 
APPROVED, SUBMITTED, ISSUED 

caStatus (string) Optional) Status from the Certificate Authority 

created (date) Optional) Date the request was created 

updated (date) Optionsl) Date the request was updated 


Sample to View Certificate Request 


API request: 


curl -X GET 
"https://gateway.qgl.apps.qualys.com/certview/vl/certificates/digi 
cert/orders/cb95d100-ec30-1lea-920d-eb66140967e3" -H "Accept: 
application/json" -H "Content-Type: application/json" -H 
"Authorization: Bearer «jwt token>" 


Response: 


{ 
"uuid": "cb95d100-ec30-11ea-920d-eb66140967e3", 


"intermediateCA": ( 
"name": "DigiCert Test SHA2 Intermediate CA-1", 
"certhash": 


"a52d05988b61a33d6ac3edb449ebp47150£a5b7a26c7df£c4e61f905ca36e165ee" 
), 
"approverUserNames": [ 
"quays sd" 
l; 


"requesterUserName": "quays_sd", 
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"Certificate": ( 
"commonName": "ABC.com", 
"organizationUnits": [ 

"QA" 
l, 
"signatureHash": "SHA-256", 
"encodedCSR": "<csr>", 
"privateKey": null, 
"dnsNames": null 

DÉI 

"renewal": null, 

"validity": ( 
"validityYears": 1, 
"validityDays": null, 


"customExpirationDate": null 
), 
"digicertOrganization": { 
"id": 525858 
), 
"digicertProductNameId": "private ssl plus", 
"digicertEVApproverUserIds": null, 
"status": "SUBMITTED", 
#caStatus + m, 
"created": "2020-09-01T08:54:50.473+0000", 
"updated": "2020-09-01T08:58:58.138+0000" 
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List DigiCert Organizations 


Use this API to list Organizations registered with DigiCert 


APIs affected certview/rest/public/v1/certificates/enrollment/digicert/organizati 
ons 

Method POST 

New or Updated APIs New 


Input Parameters 


Input parameters for DigiCert APIs. It is required to provide at least one of the params 
certhash, commonName or serial Number. 


certhash (string) (Optional) Secure hash of the certificate 


commonName (string) (Optional) Fully qualified domain name of the Web server that 
will receive the certificate 


serialNumber (string) (Optional) A short, unique identifier for each certificate 
generated by the certificate issuer 


Sample to List DigiCert Organizations 


API request: 


curl -X POST 
"https://gateway.qgl.apps.qualys.com/certview/vl/certificates/digi 


cert/organizations" -H "Accept: application/json" -H "Content- 
Type: application/json" -d '{ 
"certhash": 
"a52d05988b61a33d6ac3edb449eb47150£a5b7a26c7df£c4e61£905ca36e165ee" 
)' -H "Authorization: Bearer <jwt token>" 

Response: 
( 

"organizations": [ 


{ 
"id": 525858; 
"status": "active", 
"name": "Qualys, Inc", 
"assumedName": null, 
"displayName": "Qualys, Inc", 
"active": true 
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List DigiCert Products 


Use this API to list DigiCert products for your account 


APIs affected certview/rest/public/v1/certificates/enrollment/digicert/products 
Method POST 
New or Updated APIs New 


Refer to Input Parameters 


Sample to List DigiCert Products 


API request: 


curl -X POST 
"https://gateway.qgl.apps.qualys.com/certview/vl/certificates/digi 
cert/products" -H "Accept: application/json" -H "Content-Type: 
application/json" -d '( 


"certhash": 
"a52d05988b61a33d6ac3edb449eb47150fa5Sb7a26c7dfc4e6lf905ca36el6bee" 
)' -H "Authorization: Bearer <jwt token>" 

Response: 


{ 
"products": [ 


{ 


"groupName": "securesite ssl certificate", 
"nameId": "ssl ev securesite", 

"name": "Secure Site EV SSL", 

"type": "ssl certificate", 


"sslCertificateType": null 


"groupName": "securesite ssl certificate", 
"nameld": "ssl ev securesite multi domain", 
"name": "Secure Site EV Multi-Domain SSL", 
"type": "ssl certificate", 


"sslCertificateType": null 
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List Digicert EV Approvers 


Use this API to list EVInput Parameters approvers registered with DigiCert 


APIs affected certview/rest/public/v1/certificates/enrollment/digicert/evApprov 
ers 

Method POST 

New or Updated APIs New 


Refer to Input Parameters 


Sample to List DigiCert Products 


API request: 


curl -X POST 
"https://gateway.qgl.apps.qualys.com/certview/vl/certificates/digi 
cert/evApprovers" -H "Accept: application/json" -H "Content-Type: 
application/json" -d '( 


"certhash": 
"a52d05988561a33d6ac3edb449eb47150f£a5b7a26c7df£c4eó61f905ca36e165ee" 
)' -H "Authorization: Bearer <jwt token>" 
Response: 
{ 
"evApprovers": [ 


{ 
"userId": "1541521", 


"name": "John White", 
"firstName": "John", 
"lastName": "White" 


"userld":; "1551253", 


"name": "Kelly Smith", 
"firstName": "Kelly", 
"lastName": "Smith" 
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Appendix A - Error codes/Descriptions 


This appendix lists the Certificate View API error codes along with a description of what 
each code means. For an API request that had an error, you'll find the error code and text 
in the XML response. 


HTTP Error Error Text Meaning 
Status Code 
400 Bad 1903 Missing required The API request did not contain one or 
Request parameter(s):... more parameters which are reguired. 
400 Bad 1904 Please specify only one of The API reguest contained 2 or more 
Reguest these parameters.... parameters from a group from which at 
most one may be specified. 
400 Bad 1905 parameter ... has invalid The API reguest contained a valid 
Reguest value... parameter specified with an invalid value. 
400 Bad 1907 The following combination The API request contained an invalid or 
Reguest of key=value pairs is not unsupported combination of parameters. 
supported... Invalid value for following param. 
autoGenerateCSR: true and encodedCSR is 
not null. 
400 Bad 140001 Malformed json The json request is not properly formed. 
Request 
400 (Bad 140002 Field is not editable The requested field can not be edited. 
Request 
400 (Bad 140004  Enrollmentis not supported Enrollment/renewal of certificates by the 
Reguest for CA specified CA is currently not supported. 
400 (Bad 140005 API key is not configured Incorrect API details, please verify the API 
Request key in the Configuration tab. 
400 (Bad 140006 Invalid renewal certificate Renewal failed due to one of the following 
Request reasons: 
- certificate not found in inventory 
- certificate is not a leaf certificate 
- certificate is already in the process of 
being renewed 
- certificate is not going to expire in next 60 
days 
400 (Bad 140007 Certificate order type is not Cannot change an enrollment request to 
Request) editable renewal request or vice versa 
403(Forbid 2012 User license is not The API request failed because the user's 
den) authorized to run this API. subscription does not have API access 
enabled. 
403(Forbid 148100  Userdoesnothaverequired The API request failed because the user 
den) permissions does not have the required 


permissions.Check user permissions in 
Admin module 


45 


Appendix A - Error codes/Descriptions 


HTTP Error Error Text Meaning 
Status Code 
403(Forbid 148101 User has exhausted the The API request failed because the order 
den) allocated number of exceeds the allocated license 
licenses count.Contact your Technical Account 
Manager for additional licenses 
404(Not 148200 Invalid certificate order Verify the order id 
Found) 
409 1920 APIresourceis noteditable Certificate request can not be updated 
Conflict once itis in the POSTED status. 
400 Bad 1922 Please specify atleast one The API request was missing some 
Request of the following required information (but not necessarily a 


parameters:... 


single specific parameter). 


46 


